Reverse engineering the Td5 ECU

**OffTrack** · 6th March 2013, 12:35 PM

Just thought I'd make a quick post on a project I've been working on to reverse engineer the NNN Td5 ECU.

At this stage I've been able to disassemble around 90% of the code for ECU, with the exception of a few things like branch statements with 32bit destination addresses and a couple of other sections. The problem with the branch statements appears to be a bug in the processor module supplied with the the software, and is pretty annoying as there are sections of the code that is littered with these branch instructions.

This is one example following a section of code which enables communication with a ISO9141 interface chip - used for k-line diagnostic communications:

The instruction 0x60FF is an example of what is causing me issues at present. I am able to manual disassemble the instruction, and the correct instruction is written in the comment in blue. Hopefully I'll be able to fix this issue reasonably simply, although I suspect this will require writing an extension to the existing processor.

Above is a shot of a section of my current NNN500030 ECU. The main difference to the NNNx00x20 is the CANBUS interface chip which is used to handle communications with the AutoBox ECU. You can also see in this shot the location of the ISO9141 driver chip that is used for the K line diagnostics, including the OBD-II and Diagnostic Tools.

This initially started as a means of access the configuration of the CPU so I could correctly configure the ECU for reprogramming via BDM which is documented elsewhere:

http://www.discotd5.com/diagnostics/...amming-td5-ecu

The additional disassembly and working out what the programming is actually doing is going to be a fairly slow process but should hopefully yield some useful information.

cheers
Paul

**OffTrack** · 10th March 2013, 06:22 PM

To assist in understanding what the ECU code is doing I've been tracing signal lines from the ECU connector pins across the PCB.

The board is 4 layers and appears to follow convention by using the inner two layers for power and ground. The signal traces are almost entirely confined to the top and bottom of the board, but often switch sides using connections that pass through the layers. This means you need access to both sides of the PCB to have any real hope of following the trace.

As an example, this is Pin 11 on the Red ECU connector. There is a short trace from the pin to a resistor, with a via immediately before the trace reach the resistor.

The trace then switches to the bottom of the board to cross to a location beneath the transformer from where it switches back to the top of the board.

From this location the trace runs under the transformer then beneath the two large capacitors were it switches back to the bottom of the board before finally switching back to the top layer near the cpu.

By doing this I can see which section of the CPU is processing particular inputs and determine exactly how the ECU is using the information rather than relying on guesswork.

cheers
Paul

**Slunnie** · 10th March 2013, 06:27 PM

You lost me at NNN, but I am so incredibly impressed that you can make sense of these things!

**robbotd5** · 10th March 2013, 07:00 PM

Me too. I can apreciate what you are doing though Paul. Excellent work.
If I ever have ECU related problems....
Regards
Robbo

**OffTrack** · 10th March 2013, 07:49 PM

Thanks guys. This is pushing the boundaries for me. I've done some programming in assembly before so I have a reasonable idea of how to work out what the software is doing, but this is way more complex that anything I've tackled before.

I won't really get into details too much, but I'll try to post up general information on things that will help with diagnostics as I go.

cheers
Paul

**Disco Muppet** · 10th March 2013, 07:57 PM

Originally Posted by Slunnie

You lost me at NNN, but I am so incredibly impressed that you can make sense of these things!

You lost me at "ECU"

I now have this image of you wearing those magnifying spectacles in some dark room filled with soldering iron smoke and old school computer monitors streaming lines of green code.
Nice work!
Cheers
Muppet

**OffTrack** · 10th March 2013, 09:12 PM

Originally Posted by Disco Muppet

You lost me at "ECU"

I now have this image of you wearing those magnifying spectacles in some dark room filled with soldering iron smoke and old school computer monitors streaming lines of green code.
Nice work!
Cheers
Muppet

My partner won't let me get away with that

I'm using a Mac laptop, multimeter and illuminated magnifier working on a kitchen table in a room with lots of ventilation and natural light

I'm working with the ECU out of my D2 so I'm very reluctant to put a soldering iron to it unless absolutely necessary. I've actually got things sorted so that I can debrick an ECU without doing any soldering at all.

cheers
Paul

**Disco Muppet** · 10th March 2013, 09:25 PM

Originally Posted by OffTrack

My partner won't let me get away with that

I'm using a Mac laptop, multimeter and illuminated magnifier working on a kitchen table in a room with lots of ventilation and natural light

Sure you're not McGuyver?

Originally Posted by OffTrack

I'm working with the ECU out of my D2 so I'm very reluctant to put a soldering iron to it unless absolutely necessary. I've actually got things sorted so that I can debrick an ECU without doing any soldering at all.

cheers
Paul

My auto-electrical knowledge is limited to 'red to red, black to black' and I even managed to get that one wrong

**OffTrack** · 14th May 2013, 03:50 PM

Bit of an update. I finally worked out a solution to the long branch instruction problem I was having. While reading the 68000 Programmers Ref Manual (as you do) I had another look at the Bcc information, and noticed that the long word variants are not supported on CPU32 processors. Despite the Td5 using a CPU32 processor I thought I'd try switching to 68040 processor (apart of the same family of processors). Sure enough the long branch instructions disassembled

This is the same bit of code as I posted up previously to illustrate the problem, but post fix and showing the bra.l instruction:

I've also found that another section of code I was struggling with is microcode for the TPU module which handles the Crank Position Sensor signal. I'm not sure I can disassemble this microcode as it uses a different assembler to the "normal" code but I'm not sure there is much point as it basically transforms the CPS signal into rpm and cylinder balance outputs. I'm going to treat as a "black box" unless I discover some compelling reason to do otherwise.

So I'm making some progress...

cheers
Paul

**Disco Muppet** · 14th May 2013, 04:33 PM

So when can we arrange a code-to-order Transformer/Matrix ECU for our D2s?

My coding knowledge is limited to year 10 IST, so it's a bit beyond me

Thread: Reverse engineering the Td5 ECU

Thread Tools

Reverse engineering the Td5 ECU

Methodology

Bookmarks

Bookmarks

Posting Permissions